WP-Safety

WP MtG-Helper Security & Risk Analysis

wordpress.org/plugins/wp-mtg-helper

The goal of this plugin is to help you writing articels about Magic: the Gathering like tournament reports or draft walkthroughs and reducing the time …

10 active installs v1.2.7 PHP + WP 2.5+ Updated May 25, 2013
deckhelpmagicmagic-the-gatheringmtg
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is WP MtG-Helper Safe to Use in 2026?

Generally Safe

Score 85/100

WP MtG-Helper has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 12yr ago
Risk Assessment

The wp-mtg-helper v1.2.7 plugin exhibits a mixed security posture. On the positive side, it has no known vulnerabilities in its history and demonstrates good use of nonce and capability checks, indicating an awareness of security principles. The absence of critical or high-severity taint flows and dangerous functions further contributes to a seemingly robust internal code structure regarding common exploit vectors.

However, significant concerns arise from the static analysis. The plugin executes 8 SQL queries, none of which utilize prepared statements. This is a major security risk, as it opens the door to SQL injection vulnerabilities if any of the data feeding these queries originates from user input without proper sanitization. Furthermore, out of 114 output operations, a concerning 0% are properly escaped. This lack of output escaping is a critical flaw that could lead to cross-site scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the website.

While the plugin has no recorded vulnerabilities, the identified static analysis issues represent significant potential weaknesses. The absence of past CVEs might indicate diligent patching by developers or simply that the plugin hasn't been a target, but it does not negate the inherent risks in the current codebase. The plugin's strength lies in its entry point management and use of checks, but its weakness is in fundamental data handling and output sanitization.

Key Concerns

  • SQL queries without prepared statements
  • Output escaping not properly implemented
Vulnerabilities
None known

WP MtG-Helper Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

WP MtG-Helper Code Analysis

Dangerous Functions
0
Raw SQL Queries
8
0 prepared
Unescaped Output
114
0 escaped
Nonce Checks
14
Capability Checks
16
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

0% prepared8 total queries

Output Escaping

0% escaped114 total outputs
Data Flows
All sanitized

Data Flow Analysis

6 flows
<mtg_helper> (js\mtg_helper.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP MtG-Helper Attack Surface

Entry Points2
Unprotected0

Shortcodes 2

[cardlist] js\mtg_helper.php:54
[cardlist] mtg_helper.php:54
WordPress Hooks 18
actionadmin_menujs\mtg_helper.php:50
actioninitjs\mtg_helper.php:53
filterthe_contentjs\mtg_helper.php:55
filterthe_contentjs\mtg_helper.php:56
filtercomment_textjs\mtg_helper.php:58
filterplugin_action_linksjs\mtg_helper.php:76
actionwp_headjs\mtg_helper.php:179
actionwp_headjs\mtg_helper.php:181
actionadmin_footerjs\mtg_helper.php:206
actionadmin_menumtg_helper.php:50
actioninitmtg_helper.php:53
filterthe_contentmtg_helper.php:55
filterthe_contentmtg_helper.php:56
filtercomment_textmtg_helper.php:58
filterplugin_action_linksmtg_helper.php:76
actionwp_headmtg_helper.php:179
actionwp_headmtg_helper.php:181
actionadmin_footermtg_helper.php:206
Maintenance & Trust

WP MtG-Helper Maintenance & Trust

Maintenance Signals

WordPress version tested1.2.7
Last updatedMay 25, 2013
PHP min version
Downloads6K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

WP MtG-Helper Alternatives

Magic the Gathering Card Tooltips

Magic the Gathering Card Tooltips

magic-the-gathering-card-tooltips

A
98

Easily transform Magic the Gathering card names into links that show the card image in a tooltip when hovering over them. You can also quickly create &hellip;

100 2 CVEs
MTGPulse deckbox embedding tool

MTGPulse deckbox embedding tool

mtgpulse-magic-the-gathering-deckbox-plugin

A
85

Facilitates embedding of MTGPulse.com deckboxes on your word press site

10 No CVEs
MtG-Tutor.de CardLinker

MtG-Tutor.de CardLinker

mtg-tutorde-cardlinker

A
85

This plugin provides some shortcode to easily link MtG Cards and Decks! - Ein Plugin mit dem man ganz leicht MtG Karten und Decks verlinken kann!

10 No CVEs
ReachDeck Toolbar

ReachDeck Toolbar

browsealoud

A
100

Websites made more accessible with easy speech, reading and translation tools.

200 No CVEs
Mana Symbols

Mana Symbols

mana-symbols

A
85

Mana Symbols replaces shortcodes with Magic: The Gathering mana symbols.

30 No CVEs
Developer Profile

WP MtG-Helper Developer Profile

distractedBySquirrels

1 plugin · 10 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WP MtG-Helper

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-mtg-helper/js/mtgh.js/wp-content/plugins/wp-mtg-helper/js/jquery.dimensions.min.js/wp-content/plugins/wp-mtg-helper/css/mtgh.css
Script Paths
/wp-content/plugins/wp-mtg-helper/js/mtgh.js/wp-content/plugins/wp-mtg-helper/js/jquery.dimensions.min.js
Version Parameters
wp-mtg-helper/js/mtgh.js?ver=wp-mtg-helper/js/jquery.dimensions.min.js?ver=

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about WP MtG-Helper